Firewall rules problems ?
-
I don't understant what's wrong with my rules...
I want to be able to communicate from the LAN to the other networks.
here are the ping results:LAN HOST --> LAN GW = OK
LAN HOST --> google = OKLAN HOST --> LABO (OPT2) GW = NOK
LAN HOST --> LABO (OPT2) HOST = NOKLAN HOST --> IOT (OPT1) GW = NOK
LAN HOST --> IOT (OPT1) HOST = NOKPFSENSE --> LABO (OPT2) HOST = OK
PFSENSE --> IOT (OPT1) HOST HOST = OKLABO (OPT2) HOST --> OPT2 GW = OK
LABO (OPT2) HOST --> LAN GW = OK
LABO (OPT2) HOST --> LAN HOST = OKIOT (OPT1) HOST --> OPT1 GW = OK
IOT (OPT1) HOST --> LAN GW = OK
IOT (OPT1) HOST --> LAN HOST = OKCan you plz help me...I think my eyes are playing tricks on me...
-
@benbegr said in Firewall rules problems ?:
I want to be able to communicate from the LAN to the other networks.
You're already good.
The default LAN rules, the ones you've found when installing pfSense, the ones you use right now, already permit you to connect to 'everywhere'.
A ping from LAN to Labo, the pfSense interface IP, should reply.
A host on Labo : check if that host actually replies to pings (coming from another network !).Can you show your LAN settings ? Labo settings ?
-
@Gertjan said in Firewall rules problems ?:
A ping from LAN to Labo, the pfSense interface IP, should reply.
From the LAN, I can ping the LAN gateway and the internet, but I cannot ping the LABO gateway or a host on the LABO network. However, from the LABO network, I can ping everything.
@Gertjan said in Firewall rules problems ?:
Can you show your LAN settings ? Labo settings ?
@Gertjan Thanks for your reply !
Here are the LAN settings:
And the LABO settings
-
What kind of hardware are you running? Is it a Netgate appliance, and if so, which one?
I ask because in your LAN settings screenshot I see VLAN 4091. That is usually one of the special VLAN IDs reserved for the Marvell switch inside certain Netgate appliances. Setting the correct VLAN configuration is critical for the Marvell switch devices as the "ports" you see exposed are not truly individual hardware ports. They are simply ports connected to a common SOC (system on a chip) Ethernet switch. VLANs are configured internally on that Marvell switch to produce psuedo individual ports (LAN, OPT1, OPT2, etc.). And adding a LAGG on top of that doubly complicates things
. -
@bmeeks Thank you for your reply! Yes, it is a Netgate 7100.
Here's how the VLANs are configured:
-
@benbegr:
I've not configured an XG-7100, so I'm no expert on setting up the Marvell switch. I assume you have read through all the documentation available here: https://docs.netgate.com/pfsense/en/latest/solutions/xg-7100-1u/configuring-the-switch-ports.html and here: https://docs.netgate.com/pfsense/en/latest/solutions/xg-7100-1u/switch-overview.html.Tagging @stephenw10 here as he is the Netgate hardware expert. He should see the tag and weigh in soon.
-
@benbegr said in Firewall rules problems ?:
LAN HOST --> LABO (OPT2) GW = NOK
LAN HOST --> LABO (OPT2) HOST = NOKLAN HOST --> IOT (OPT1) GW = NOK
LAN HOST --> IOT (OPT1) HOST = NOKO_o sound strange,cloud have any sense only in case of static route on lan host. But would cause no reply to others too.
All the gw are pfsense interfaceses right? The rules is not the issue, as per above you have almost all vs all .
I would follow with packet capture from pfsense gui, packets from host lan, first on lan interface then on dest interface. Just in case a tracert too from host lan.
Is there any nat rules? Secondary nic on lan host, with a lan overlapping? -
Your comment gave me the bug..., I double-checked my LAN host conf and found out that on the LAN host, there was a static route that was sending packets to the LABO network using the wrong gateway... I'm really sorry to have taken your time for such a stupid thing... thank you very much for your time and your help...
